Security attacks are increasing in number and sophistication. According to the Ponemon Institute’s latest report, despite security professionals’ best efforts, data breaches increased 130 percent from 2006 to 2019. The report found the average cost of a data breach reached USD 8.19M in the US and USD 3.9M average globally in 2019. Given these figures, it’s no surprise that in Lopez Research’s Enterprise IT Benchmark surveys, IT leaders consistently rank securing the business as one of their company’s top three project priorities.

Sadly, there’s no silver bullet for security. A robust security plan requires a layered set of defenses. Security starts with the devices that connect to the network, such as a PC, smartphone, or sensor. It extends through the cloud and into the SaaS and corporate applications your employees use daily. Each layer must be secured to minimize a company’s attack surface.

Start with the basics by enhancing PC security

A company’s security plan must continuously adapt to the evolving threat landscape. For example, device security isn’t a new concept, but like everything in security, the threats constantly change. Many organizations feel they’re safe because they have embraced PC device management, malware-prevention software, and endpoint detection and response solutions. However, even with these tools, organizations struggle to keep security woes at bay. Meanwhile, bad actors continue to find new attacks at deeper layers within device platforms. Today attackers are exploiting vulnerabilities below the operating system in the BIOS.

The BIOS’s primary function is to handle the system setup process, including hardware initialization, the operating system boot, and the launching of drivers. It controls the first steps that happen in any computing process.

Securing the BIOS helps protect against new attacks

The BIOS is your first line of PC defense—or the most fundamental attack surface. The BIOS must be secure by design because all of the computing layers above it depend on its security. If the BIOS is compromised, it doesn’t matter what security resides at or above the operating system.

To ensure the overall health of the PC, IT must have systems that prevent, detect, and repair attacks at the BIOS layer. The most-secure implementation of a root of trust should happen in hardware. While software can protect the OS layer and above, the most-efficacious BIOS-level security requires a hardware-based solution that can be a stand-alone security module or implemented as a security module within a processor or system-on-chip (SoC).

Why BIOS security matters

A hardware-based secure BIOS solution provides a secure enclave where it verifies the BIOS on initial boot before the CPU runs any code. If it detects a malicious attack or an error in the BIOS, it repairs the system using a clean, redundant copy of the BIOS. This hardware-based system helps ensure that your PC boots using only firmware that is trusted by the manufacturer. Without this type of prevention, a machine with a compromised BIOS will require a service call for a system board replacement.

Solving the problem

It’s clear that companies need to ensure device security at the lowest levels of the IT stack, but most organizations believe PCs are secure because they’ve added software protections. IT must block new threats that occur at the hardware level, and the best way to do this is with hardened systems. Hardware-based security isn’t a feature you can bolt on to existing machines. Protecting against this new category of threats requires upgrading the company’s aging fleet of PCs, but not just with any hardware.

IT buyers should look for systems that offer BIOS-level security. Implementing BIOS-level security in hardware makes at least one area of the security stack more tamper-proof. Hardware-based security processing also helps improve the speed of the security check, enhancing the end user’s security experience. In an interview with Lopez Research, Baiju Patel, the chief security architect for Intel’s Client Computing Group and an Intel Fellow, said that BIOS-level protection is one of the key features Intel provides in its vPro platform. Patel said Intel may be able to eliminate a whole class of possible threats by delivering hardware-enhanced security features such as BIOS-level protection at the chip level.

BIOS-level security alone won’t protect you from all threats, but it provides a solid foundation on which your organization can build advanced security efforts. Without this level of protection, organizations have an unknown Achilles’ heel that attackers can exploit at any time. Fortunately, PC providers are delivering solutions based on technologies, such as the Intel vPro platform, to offer secure silicon and software offerings for enterprise IT buyers.

This post was originally published here.